Breaking the Pixel 9 Sandbox: How a Hardware AV1 Decoder Became a Kernel Exploit Gateway
Google's Pixel 9 mediacodec sandbox can be escaped via the /dev/bigwave AV1 acceleration driver, enabling full kernel-level compromise from a 0-click RCE chain.
This analysis is based on research published by Project Zero Blog. CypherByte adds analysis, context, and security team recommendations.
Executive Summary
Security teams responsible for protecting executive devices, high-value endpoints, and Android-based enterprise fleets should treat this research as an urgent signal. Researchers at Google Project Zero have documented the second stage of a fully weaponizable 0-click exploit chain targeting the Pixel 9, demonstrating that the device's mediacodec SELinux sandbox — long considered a robust isolation boundary — can be broken via a largely overlooked hardware acceleration driver. This is not a theoretical attack surface: the research builds directly on a viable Remote Code Execution primitive in the Dolby Unified Decoder, meaning the path from network-delivered malicious media to kernel-level access is contiguous and does not require any user interaction whatsoever.
The broader audience that should internalize this finding extends well beyond Pixel device owners. This research exposes a systemic pattern in the Android security model: hardware-adjacent kernel drivers, written to serve performance optimization goals, routinely inherit the access permissions of the userland context they serve without receiving the same adversarial scrutiny applied to higher-profile attack surfaces. Mobile device management teams, Android OEM security programs, and threat intelligence practitioners tracking APT toolchains targeting mobile infrastructure should read this analysis in full. The techniques described here are precisely the class of primitives that sophisticated threat actors operationalize before public disclosure.
Technical Analysis
The attack chain begins with code execution inside the mediacodec SELinux context — a sandboxed process domain designed to isolate non-secure software decoders from the rest of the Android operating system. The AOSP security model treats this context as a meaningful trust boundary, restricting filesystem access, IPC channels, and system call exposure. In theory, a compromise of a media codec should not cascade into broader system access. In practice, as this research demonstrates, the sandbox is only as strong as its most permissive kernel interface.
DriverCartographer tool — a purpose-built instrument for enumerating kernel driver accessibility from specific SELinux contexts — the researcher identified that /dev/bigwave is reachable from within the mediacodec domain. BigWave is a hardware block integrated into the Pixel System-on-Chip (SOC) designed to accelerate AV1 video decoding tasks. Its accessibility from mediacodec is architecturally logical: codec processes need to offload decoding work to the hardware accelerator. The security problem is that this accessibility was apparently not subjected to rigorous adversarial review.The significance of reaching /dev/bigwave cannot be overstated. Android kernel drivers for hardware peripherals and SOC-integrated accelerators have been repeatedly demonstrated — across Project Zero research, academic work, and real-world exploit disclosures — to contain high-severity memory corruption vulnerabilities. These drivers are often developed under significant time pressure by hardware teams whose primary expertise is silicon performance, not secure coding. They frequently handle complex, attacker-controlled input structures (in this case, AV1 bitstream parameters and decoder configuration data) through ioctl interfaces with minimal validation. The combination of privileged kernel execution context, complex input parsing, and historically weak security posture makes hardware acceleration drivers exceptionally valuable targets for privilege escalation.
The exploit methodology follows a well-established escalation pattern: achieve code execution in a sandboxed userland context via the initial RCE (here, the Dolby Unified Decoder vulnerability), enumerate reachable kernel interfaces using tooling like DriverCartographer, identify a driver with exploitable characteristics, and leverage a memory corruption or logic vulnerability within that driver to achieve kernel code execution or equivalent privilege. With kernel access, SELinux policy enforcement can be disabled, arbitrary process credentials can be modified, and the entire Android security model collapses. The attacker transitions from a constrained media processing context to unrestricted device control — extracting encrypted data, deploying persistent implants, or pivoting to other devices on the same network.
Impact Assessment
The primary affected platform is the Google Pixel 9 and devices sharing the same SOC architecture incorporating the BigWave AV1 hardware accelerator. However, the research methodology and vulnerability class generalizes broadly. Any Android device that exposes hardware acceleration drivers to sandboxed media processing contexts — which describes the overwhelming majority of modern Android flagship devices — carries analogous risk. The specific driver changes; the attack pattern does not.
mediacodec, the /dev/bigwave driver is reached and exploited, kernel privileges are obtained, and a persistent implant is deployed — all before the target has any awareness that an attack occurred. Zero clicks. Zero prompts. Zero forensic artifacts visible to the user.From a real-world consequence perspective, this class of exploit chain represents the gold standard for commercial spyware vendors and nation-state offensive cyber programs. Fully 0-click chains targeting current-generation flagship devices command significant value on exploit markets and are operationalized in targeted surveillance campaigns against journalists, dissidents, attorneys, and government officials. The techniques documented here are consistent with capabilities previously attributed to vendors in the commercial surveillance industry. Organizations whose personnel represent high-value targets should treat this disclosure as an active operational concern, not an academic footnote.
CypherByte's Perspective
This research crystallizes a tension that has existed in Android's security architecture since the introduction of hardware abstraction layers and media sandbox isolation: performance and security are being optimized in parallel, but not together. The mediacodec sandbox was a meaningful security improvement when introduced. But each hardware accelerator added to a modern SOC — for video, audio, image processing, machine learning inference — represents a new kernel interface that the sandboxed process can reach, and therefore a new potential escape route. The sandbox perimeter expands with every silicon feature, while the security review capacity to audit each new driver interface has not scaled commensurately.
The introduction of tooling like DriverCartographer is a meaningful contribution to the defender ecosystem precisely because it makes the implicit explicit. Security teams and OEM security programs can now systematically enumerate what kernel interfaces are reachable from any given SELinux context — a capability that should have been part of the standard pre-release security review process for every Android device shipping with new hardware accelerators. The gap between what the SELinux policy intends to permit and what kernel drivers are de facto accessible is exactly where exploit chains like this one live. Closing that gap requires tooling, process, and organizational commitment from OEMs and the Android platform team alike.
Indicators and Detection
Detecting exploitation of this attack chain on a live device is exceptionally difficult given its 0-click, zero-user-interaction nature. However, the following indicators and detection strategies are relevant for security operations teams with mobile device visibility:
Process anomalies: Unexpected child processes spawned from mediacodec or mediaserver process namespaces warrant investigation. Legitimate codec operations do not fork persistent child processes or establish outbound network connections independently. Endpoint telemetry from mobile EDR solutions should be tuned to alert on mediacodec process tree anomalies.
SELinux denials and policy violations: A successful kernel exploit may involve attempts to modify SELinux enforcement state. Kernel audit logs capturing setenforce calls or denials related to unexpected domain transitions from mediacodec are high-fidelity indicators of post-exploitation activity. These logs require kernel-level telemetry collection, which most commercial MDM solutions do not currently provide.
Driver interaction patterns: ioctl call patterns to /dev/bigwave that deviate significantly from baseline AV1 decoding workflows — particularly calls occurring without associated video playback activity or with malformed parameter structures — may indicate exploitation attempts. This requires kernel-level syscall tracing, feasible in research environments and on devices enrolled in advanced mobile threat detection programs.
Network baseline deviations: Post-exploitation implant deployment typically involves command-and-control beacon traffic. Monitoring for unexpected outbound connections from media-associated process UIDs, particularly over non-standard ports or to low-reputation infrastructure, can surface successful compromises even when the initial exploitation is undetectable.
Recommendations
For enterprise security teams and MDM administrators: Ensure all managed Pixel devices are enrolled in the Android Enterprise security update program and confirm timely patch deployment. Devices that are more than one patch cycle behind on security updates should be considered elevated risk and flagged for expedited remediation. Consider restricting the ability of unmanaged applications to process externally-sourced media files on high-risk devices.
For Android OEM security programs: Integrate driver accessibility enumeration tooling — consistent with the DriverCartographer methodology documented in this research — into pre-release security review gates. Every hardware accelerator driver that is accessible from a sandboxed SELinux context should receive a dedicated adversarial security review before shipment. The accessibility surface should be explicitly documented and justified in threat model documentation.
For the Android platform security team: Consider whether the principle of least privilege can be more granularly applied to hardware accelerator driver access — for example, via additional ioctl-level SELinux mediation that restricts which specific commands a sandboxed context can issue to a hardware driver, rather than binary allow/deny access to the device node itself.
For threat intelligence and incident response teams: Update mobile threat hunting playbooks to include mediacodec process anomalies and BigWave driver interaction as indicators of interest. Engage mobile EDR vendors to understand current telemetry coverage gaps for kernel-level exploitation indicators on Android. Organizations with high-risk personnel should evaluate whether advanced mobile threat detection solutions — including periodic forensic collection consistent with MVT (Mobile Verification Toolkit) workflows — are warranted given this threat class.
This analysis is based on original research published by Google Project Zero. Full credit for the underlying vulnerability research and exploit development belongs to the Project Zero team. CypherByte's analysis represents independent interpretation and threat intelligence contextualization of publicly disclosed findings. Source: Project Zero Blog — A 0-click exploit chain for the Pixel 9 Part 2.
Get full access to all research analyses, deep-dive writeups, and premium threat intelligence.